Why ISO 22301 Certification Takes Longer Than It Should
If your ISO 22301 certification is taking too long, you are not alone. Business continuity management is one of the more complex standards to implement, and most organisations that stall during the process do so for the same handful of reasons. The good news is that once you can identify the specific blocker, fixing it is usually straightforward.
On this page
ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It requires your organisation to identify threats, assess their impact, build recovery strategies, test those strategies, and demonstrate that the whole system is actively managed. That is a lot of moving parts, and each one is a potential delay point.
This article walks through the most common reasons ISO 22301 certification projects drag on, what actually causes each delay, and what you can do to get things moving again. Whether you are six months in and still not ready for Stage 1, or you have been sitting on corrective actions for weeks, there is something here for you.
Blocker 1: The Business Impact Analysis Is Not Finished
The Business Impact Analysis, or BIA, is the foundation of your entire BCMS. Without a credible, completed BIA, nothing else in your system can be properly built. Yet this is the single most common reason certification projects stall.
Why the BIA Gets Stuck
The BIA requires input from across the business. You need department heads to quantify what would happen if their function was unavailable for two hours, two days, or two weeks. You need finance to confirm revenue impacts. You need operations to map critical dependencies. In most organisations, getting this information out of busy managers is like pulling teeth.
The other issue is scope creep. Organisations try to make their BIA cover every conceivable scenario in exhaustive detail, and the document becomes so large and complicated that nobody finishes it. A BIA does not need to be a 200-page masterpiece. It needs to be accurate, defensible, and usable.
How to Fix It
Set a deadline and hold it. Assign one person to own the BIA process and give them authority to chase responses. Use a simple template with clear questions and a defined return date. If a department head will not respond, escalate to the executive sponsor immediately. Do not let the BIA sit in someone's inbox for three weeks.
Also, be realistic about your Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). Auditors are not looking for perfection. They are looking for evidence that you have genuinely assessed your business and made reasonable, documented decisions about what matters most.
Blocker 2: Leadership Is Not Actually Engaged
ISO 22301 has strong requirements around top management commitment. Clause 5 of the standard requires leadership to demonstrate genuine engagement with the BCMS, not just sign off on a policy document once and disappear.
What Genuine Engagement Looks Like
In practice, this means senior leaders need to participate in management reviews, understand the key risks identified in the BIA, approve the business continuity strategy, and be visible in exercises and testing. If your CEO has never heard of your recovery time objectives, that is a problem your auditor will find.
Many certification projects stall because the project is entirely owned by a quality or risk manager who cannot get time in the executive calendar. Documents get drafted, but nobody with authority reviews or approves them. The system exists on paper but has no real organisational weight behind it.
How to Fix It
Frame business continuity in terms leadership cares about. Talk about contract risk, reputational damage, regulatory exposure, and the cost of downtime in dollar terms. Get a specific executive sponsor named and accountable. Put BCMS reviews on the board agenda, not just the quality team's meeting schedule.
If leadership genuinely will not engage, that is a signal worth taking seriously. A BCMS without executive commitment will not just fail certification. It will fail in an actual incident.
Blocker 3: Scope Definition Has Not Been Finalised
One of the earliest decisions in any ISO certification project is defining the scope. For ISO 22301, this means deciding which parts of your organisation, which locations, which products and services, and which threats fall within the BCMS boundary. Getting this wrong, or leaving it undefined for too long, creates a cascade of delays downstream.
The Scope Trap
Organisations often try to include everything in scope from the start. This is understandable but counterproductive. A broader scope means more BIA work, more recovery strategies to document, more procedures to write, and more testing to conduct. For a first certification, a tighter, well-defined scope that you can genuinely demonstrate is far better than a broad scope that is only partially implemented.
On the other hand, some organisations define a scope so narrow that it does not reflect how the business actually operates. Auditors will push back if your scope conveniently excludes all the hard parts.
How to Fix It
Agree on scope in writing before any other significant work begins. Document the rationale for what is included and excluded. If you are unsure, get advice early. A good consultant or pre-assessment can save you months of rework. You can read more about how to determine the scope of a management system if you want a more detailed breakdown of the process.
Blocker 4: Business Continuity Plans Are Too Generic
Many organisations download a business continuity plan template, fill in the blanks, and assume they are ready for audit. They are not. Generic plans that do not reflect your actual operations, your actual staff, your actual suppliers, and your actual systems will be identified immediately by an experienced auditor.
What Auditors Actually Look For
Your BC plans need to show that recovery actions are specific, assigned, and tested. Who calls whom? Which system gets restored first? Who has the authority to invoke the plan? Where are the backup resources located? If the answers to these questions are not in the document, the plan will not pass scrutiny.
Auditors will also look for evidence that staff know the plans exist and understand their role in them. A plan that lives in a folder on the quality manager's computer and has never been communicated to the people who need to execute it is not a functional plan.
How to Fix It
Build plans around real scenarios. Run a tabletop exercise before your Stage 2 audit and document the outcomes. Update the plans based on what you learn. Make sure every plan has a named owner, a version number, and a review date. Keep the language simple enough that someone under pressure in a real incident can actually follow it.
Blocker 5: Testing and Exercising Has Not Been Done
ISO 22301 requires you to test your business continuity plans through exercises. This is not optional, and it cannot be faked. If you arrive at your Stage 2 audit without documented evidence of at least one exercise, you will not be certified.
Why Organisations Skip Testing
Testing takes time and requires coordination. It can also be uncomfortable, because exercises tend to expose gaps in your plans. Many organisations put testing off until after they feel the plans are “ready”. The problem is that plans are never truly ready until they have been tested. The exercise is what makes them ready.
There is also a misconception that exercises need to be elaborate, full-scale simulations that disrupt operations. Most auditors are perfectly satisfied with a well-run tabletop exercise that is properly documented and results in meaningful lessons learned.
How to Fix It
Schedule your first exercise early in the implementation process, not at the end. A tabletop exercise involving key staff, a realistic scenario, and a structured debrief will generate the evidence you need. Document the scenario, the participants, the actions taken, the gaps identified, and the corrective actions raised. That documentation is exactly what your auditor wants to see.
You can find practical guidance on structuring this kind of activity in our article on how to run a business continuity exercise under ISO 22301.
Blocker 6: Documentation Is Incomplete or Inconsistent
ISO 22301 has specific documented information requirements. Your BCMS needs a business continuity policy, a BIA, a risk assessment, business continuity strategies, BC plans, and records of exercises, management reviews, internal audits, and corrective actions. If any of these are missing or inconsistent with each other, your certification will be delayed.
The Consistency Problem
Inconsistency is more common than outright gaps. Your BIA identifies three critical processes, but your BC plans only cover two of them. Your risk assessment references threats that are not addressed in your recovery strategies. Your policy commits to a recovery time that your plans do not actually support. These mismatches create nonconformities that require rework before certification can proceed.
How to Fix It
Before your Stage 1 audit, do a gap analysis that specifically checks for consistency across documents, not just completeness. Trace each critical process from the BIA through the risk assessment, into the recovery strategy, and into the BC plan. If the thread breaks anywhere, fix it before the auditor finds it. Our article on things to do before an ISO Stage 1 readiness audit covers this kind of pre-audit preparation in detail.
Blocker 7: The Wrong Consultant or No Consultant at All
ISO 22301 is a specialist standard. A consultant who is excellent at ISO 9001 or ISO 14001 may not have deep experience with business continuity management. If your consultant does not understand how to build a BIA, how to structure recovery strategies, or what auditors specifically look for in a BCMS, you will spend more time and money than necessary.
Signs Your Consultant Is Not the Right Fit
They produce generic templates that do not match your industry. They cannot explain the difference between a recovery time objective and a recovery point objective. They have never conducted a business continuity exercise. They are not familiar with how ISO 22301 differs from a standard disaster recovery plan. Any of these signals should prompt you to reassess.
Going it alone without any consultant support is also a common cause of delays, particularly for organisations implementing ISO 22301 for the first time. The standard has nuances that are not obvious from reading the text, and getting guidance from someone who has been through the process before can cut months off your timeline.
How to Fix It
If you are selecting a consultant now, look specifically for someone with ISO 22301 auditing or implementation experience, not just general ISO knowledge. Ask for examples of previous BCMS projects and check that they understand your industry context. If you have already engaged a consultant who is not delivering, it may be worth getting a second opinion before investing more time in the wrong direction.
The article on how to spot a bad ISO consultant is worth reading if you have any doubts about the support you are currently receiving.
Blocker 8: Corrective Actions From Stage 1 Are Not Being Closed
Your Stage 1 audit is a readiness review. It is designed to identify gaps before your Stage 2 certification audit. Most organisations receive a list of items to address after Stage 1, and the gap between Stage 1 and Stage 2 is where many projects stall.
Why Corrective Actions Sit Open
After the adrenaline of Stage 1 wears off, the day-to-day business takes over. The person responsible for closing corrective actions gets pulled into other priorities. Weeks pass. The Stage 2 audit date approaches and the actions are still open. The audit gets postponed, which adds cost and extends the timeline further.
Some organisations also treat Stage 1 findings as minor and underestimate the work required to address them properly. An auditor who raised a finding about your BIA methodology is not going to be satisfied with a note saying “BIA updated”. They want to see the updated BIA, evidence it was reviewed by management, and confirmation that the downstream documents have been revised accordingly.
How to Fix It
Treat Stage 1 findings with the same urgency as a client deadline. Assign each finding to a named owner with a due date. Hold a weekly review of open actions until they are all closed. Do not book your Stage 2 audit until you are genuinely confident every finding has been addressed with evidence. Preparing properly for your Stage 2 certification audit is the difference between a smooth certification and another round of delays.
How Long Should ISO 22301 Certification Actually Take?
For a small to medium-sized organisation implementing ISO 22301 for the first time, a realistic timeline is six to twelve months from project kick-off to certification. Larger or more complex organisations may need twelve to eighteen months, particularly if they have multiple sites or highly complex operations.
If you are well past these timeframes and still not certified, one or more of the blockers described in this article is almost certainly the cause. The most common combination is an incomplete BIA, lack of executive engagement, and testing that has not been done. Address those three things and most projects start moving again.
Understanding what ISO 22301 certification costs is also useful context when planning your project timeline, since budget constraints are sometimes an indirect cause of delays.
For a broader view of what drives delays across ISO certification projects generally, the ISO 22301:2019 standard overview on ISO.org is a useful reference for understanding what the standard actually requires before you commit to a timeline.
Getting the Right Help From the Start
Most ISO 22301 certification delays are avoidable. They come down to starting without a clear plan, underestimating the BIA, not getting leadership on board early enough, or working with a consultant who does not have the right experience for this particular standard.
If you are at the beginning of your ISO 22301 journey and want to avoid these pitfalls, or if you are stuck mid-project and need a fresh perspective, getting quotes from multiple experienced providers is a smart first step. CertBetter connects businesses with verified ISO consultants and accredited certification bodies who have genuine ISO 22301 experience. You submit one form and receive up to three competing quotes, at no cost to you. It is a practical way to make sure you are working with the right people before more time and money is spent.
